Service Organization Control (SOC) Reporting for PEOs

SOC Reporting will help your organization gain a competitive advantage by validating the efficiency and effectiveness of your internal controls, identifying areas of improvement and improving financial reporting integrity.

Why is SOC 1 Reporting important?

PEOs should regularly assess and address risks faced by customers related to financial reporting, compliance with laws/regulations, and efficiency and effectiveness of operations.
A clean SOC 1 report, issued by an independent third-party CPA firm as a result of an audit process, is evidence that the PEO is evaluating and reporting on operational controls related to Security, Availability, Processing Integrity, Confidentiality and Privacy.
Auditors evaluate the infrastructure, software, people, procedures and data to perform the attestation. The suitability of the design of certain internal controls is tested in the SOC 1 Type 1 Examination, which asserts that the PEOs system and services are compliant with SOC 1 standards as of a specified date (i.e. August 4, 2014). The SOC 1 Type 2 Examination reviews the operating effectiveness of the internal controls defined in “Type 1” over a specified period of time (minimum of 6 months).
There are many benefits to going through the process and obtaining the SOC 1 Attestation, including improvements in customer service quality and consistency, confidence in the functioning, efficiency and effectiveness of internal controls, expansion of potential new clients that require the report (public companies) and marketing your services as trustworthy and accountable, which all lead to increased client retention, profitability and productivity.
What should you consider?

1. Definition of the Scope

Define the system, products/services, and locations under review. For example, the audit may only include one location and the payroll processing system. Third-party service providers, or subservice organizations, may also be excluded from the scope of the report. Expected uses of the report should determine the appropriate scope parameters.

2. Control Objectives

Control objectives identify the desired result or purpose of implementing control activities and address risks related to security, availability, processing integrity, confidentiality and privacy. The CPA firm performing the audit may help build control objectives that are commonly used for your service or industry, however, management is ultimately responsible for the definition of control objectives and related controls.

3. Control Activities

Control activities include management’s policies and procedures that help ensure the PEO’s control objectives are in place and consistently achieved.

4. Standard Operating Procedures (SOP)

Standard Operating Procedures (SOPs) are the policies and procedures that are designed to standardize processes, mitigate risks and define the company’s control points. The SOPs are reviewed as a control activity for each control area to understand the process, systems, policies and personnel involved.

How RVR Can Helpsoc 1

Project Management
RVR functions as the Project Manager for PEOs to prepare for SOC 1 Type 1 and Type 2 Examinations. In this role, RVR develops and documents Standard Operating Procedures (SOPs), serves as the liaison with the CPA firm and performs internal testing to ensure controls are compliant, consistent and effective. RVR works with the PEO’s executive team to drive communication, productivity and accountability as an objective third-party.

Process Analysis and Improvement
RVR helps analyze processes and procedures related to payroll processing, information technology, client setup, payroll tax reporting and processing, and other related control areas involved in the SOC 1 audit. We identify gaps and inefficiencies that may exist and provide recommendations that reduce time, minimize costs or improve accuracy of the service model while maintaining control objectives.

Sources:

– AICPA Guide: Reporting on Controls at a Service Organization (March 1, 2012)

– BrightLine (www.brightline.com/)

RVR professionals are attending the NAPEO conference and we would love to discuss your business and how we can work together to address your needs.

Please contact us at 407-677-0400 or use the form below to set up a meeting during the conference.

Published on 10th September 2014 by Jessica McKeeby
Categories: Finance, Strategy

Leave a Comment